Privacy Policy
Last updated: 2026-05-15
1. Who We Are
This privacy policy explains how Dominik Iwoła ("we", "us", "SearchPresence") processes personal data when you visit our website at searchpresence.app (or its locale subpaths) and when you use our audit service.
We are the controller of the personal data described in this policy within the meaning of Article 4(7) of the EU General Data Protection Regulation (GDPR).
- Registered name: Dominik Iwoła
- Registered seat: Kabaczkowa 2/2, 52-311 Wrocław, Poland
- Company register: CEIDG — NIP 8992901407
- Tax ID (NIP): 8992901407
- Statistical ID (REGON): 389303319
- General contact: hello@searchpresence.app
- Privacy contact: privacy@searchpresence.app
- Data Protection Officer: Not appointed
2. Scope
This policy covers personal data we process in connection with:
- visitors to our website, including the landing page and any locale
subpaths
- people who join our waitlist
- people who request a free audit preview
- people who purchase a paid audit, site pack, or handbook
- people who contact us by email or other channels
It does not cover personal data on third-party websites you reach from our site, including the websites you submit for audit.
3. Personal Data We Process
We process the following categories of personal data.
3.1 Data you provide directly
| Category | Examples | Source |
|---|---|---|
| Waitlist data | Email address, locale preference | Waitlist sign-up form |
| Audit input data | URLs you submit for audit (your own and competitor URLs), language preference | Audit / preview submission |
| Account data (when accounts are introduced) | Name, email, hashed password or identity-provider ID | Sign-up flow |
| Billing data | Billing name, billing email, country, VAT ID (B2B), invoice address | Checkout |
| Communications | Content of emails or support messages you send us | Direct contact |
3.2 Data collected automatically
| Category | Examples | Source |
|---|---|---|
| Technical data | IP address, user agent, device type, screen size, referrer, requested URL, timestamps | Web server and client telemetry |
| Approximate location | Country and region inferred from IP (used for currency selection) | Geolocation header from our hosting provider |
| Cookie data | Identifiers stored in cookies and similar technologies (see our cookie policy) | Your browser |
| Product usage data | Pages viewed, features used, audit IDs requested, error events | First-party analytics, error monitoring |
3.3 Data from third parties
| Category | Source |
|---|---|
| Payment status, last four digits of card, payment method type, partial billing address | Stripe (we never receive full card numbers) |
| Email delivery and bounce status | Resend |
3.4 Page content you submit
When you submit a URL for audit, our worker fetches the public content of that page and processes it to produce the report. Any personal data contained in that page (for example, a name on a contact page, or a team biography) is processed only to produce the audit. We do not seek out personal data on audited pages, and we do not retain audited content beyond what is needed to render the report and the included re-audit (see §8).
4. Why We Process Data and on What Legal Basis
We rely on the following legal bases under GDPR Article 6.
| Purpose | Legal basis |
|---|---|
| Operate the website and deliver requested content | Legitimate interest (Art. 6(1)(f)) — running a website you have asked to visit |
| Provide the audit service you purchased | Performance of a contract with you (Art. 6(1)(b)) |
| Issue invoices and meet tax obligations | Legal obligation (Art. 6(1)(c)) under Polish and EU tax law |
| Send waitlist confirmation and waitlist-related transactional emails | Performance of a pre-contractual measure at your request (Art. 6(1)(b)) |
| Send the waitlist launch promotion code once | Performance of a pre-contractual measure at your request (Art. 6(1)(b)) |
| Detect, prevent, and investigate fraud, abuse, and security incidents | Legitimate interest (Art. 6(1)(f)) — protecting our service and our users |
| Detect approximate country to pick a display currency | Legitimate interest (Art. 6(1)(f)) — showing a price in a currency you can use |
| Set non-essential cookies (analytics, marketing) | Your consent (Art. 6(1)(a)) under Art. 399 of the Polish Electronic Communications Act (PKE); see our cookie policy |
| Send marketing emails (when introduced) | Your consent (Art. 6(1)(a)) |
| Improve and develop our service from aggregated and anonymised usage data | Legitimate interest (Art. 6(1)(f)) |
You can object to processing based on legitimate interest at any time (see §10). Where we ask for your consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.
5. Sub-Processors and Recipients
We use the following sub-processors to operate the service. Each is bound by a written data-processing agreement under GDPR Article 28 and, where applicable, by Standard Contractual Clauses for transfers outside the EU/EEA.
| Sub-processor | Role | Data | Hosting region |
|---|---|---|---|
| Vercel Inc. | Frontend hosting (apps/web) | Technical data, IP, request metadata | EU (where configurable) |
| Railway Corp. | Worker hosting (apps/worker), BullMQ | Audit job records, page content fetched for audits | EU region preferred where available |
| Supabase Inc. | Database, authentication (when introduced) | Waitlist data, account data, audit records | EU region (eu-central-1 or equivalent) |
| Upstash Inc. | Redis for web-layer rate limiting | Hashed IP addresses, request timestamps | EU region |
| Stripe Payments Europe Ltd. | Payments | Billing data, payment status | Ireland (EU) primary, with US transfers under Stripe's data agreement |
| Resend Inc. | Transactional email delivery | Email address, message content | EU region where configurable |
| Sentry GmbH / Functional Software Inc. | Error monitoring | Stack traces, request metadata, IP | EU SaaS where available |
| PostHog Inc. | First-party analytics, feature flags | Pseudonymised usage events, cookie identifiers | EU instance |
| Anthropic, PBC | LLM analysis for audit content | Audited page content (extracted text), prompts | United States, under Standard Contractual Clauses |
| OpenAI, OpCo, LLC (if used) | LLM analysis for audit content | Audited page content (extracted text), prompts | United States, under Standard Contractual Clauses |
We do not sell personal data to third parties. We share personal data with sub-processors only to the extent necessary to operate the service.
LLM provider note. When we send page content for audit analysis, we send the extracted text and our system prompts to the LLM provider. By default, our LLM providers contractually do not train their models on our API data. If we change provider or those contractual terms change, we will update this policy.
6. International Data Transfers
Some of our sub-processors are based in the United States. For those transfers we rely on:
- Standard Contractual Clauses approved by the European Commission
(Decision 2021/914), in combination with supplementary measures where required by the recipient's risk assessment.
- Adequacy decisions where they exist (for example, the EU-US Data
Privacy Framework where the recipient is a certified participant).
You can request a copy of the safeguards in place for any specific transfer by emailing privacy@searchpresence.app.
7. Cookies and Similar Technologies
We use cookies and similar technologies on our website. The full disclosure, including each cookie's purpose, retention, and the legal basis for setting it, is in our cookie policy.
Non-essential cookies (analytics, marketing) are set only after you give consent through our cookie banner. You can change your cookie choices at any time through the "Cookie preferences" link in the website footer.
8. How Long We Keep Data
We retain personal data only as long as needed for the purpose for which it was collected, or as required by law.
| Data | Retention | Reason |
|---|---|---|
| Waitlist email | Until you unsubscribe or until 12 months after public launch, whichever is sooner | Pre-contractual contact at your request |
| Audit input URL, extracted page content, generated report | 90 days from the audit completion timestamp, plus 30 days of soft-deleted recovery | Aligns with the 90-day included re-audit window. After that, the report is downgraded to a stub record (audit ID, status, score totals) used for accounting and abuse prevention. |
| Site Pack / Agency Pack credit ledger entries | 12 months from pack purchase , then archived to accounting records for the legally required retention period | Credit accounting; subsequent retention is a legal obligation |
| Account data | Until you delete your account, plus a grace period of 30 days for backups to roll over | Performance of contract |
| Invoices, tax records, billing data | 5 years from the end of the calendar year of issue | Polish tax law (Ordynacja podatkowa); may extend under VAT-OSS rules |
| Email correspondence | 24 months from last message | Service operation and audit trail |
| Cookie identifiers | Per the table in our cookie policy | |
| Server access logs and security telemetry | 30 days for full logs, then aggregated metrics only | Security and abuse prevention |
| Error monitoring data | 30 days | Diagnosing service issues |
You can request earlier deletion at any time (see §10), subject to our legal obligation to retain billing records.
9. Automated Decision-Making
Our audit produces an automated assessment of the page you submit, generated partly by deterministic logic and partly by LLM-based analysis. The audit does not produce a decision that has legal effects or similarly significantly affects you within the meaning of GDPR Article 22. It is a diagnostic report you read and act on at your own discretion.
The audit is not used to make decisions about you as a person. The subject of the audit is a webpage, not its owner or visitors.
10. Your Rights
Under GDPR you have the following rights with respect to your personal data. To exercise any of them, email privacy@searchpresence.app. We will respond within one month; we may extend that period by two further months for complex or numerous requests, in which case we will tell you.
- Right of access (Art. 15) — confirmation of whether we process
data about you, and a copy of that data.
- Right to rectification (Art. 16) — correction of inaccurate or
incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17) — deletion
of your data, subject to legal retention obligations.
- Right to restriction (Art. 18) — to restrict processing while a
rectification or objection is being assessed.
- Right to data portability (Art. 20) — to receive a copy of your
data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) — to processing based on legitimate
interest. Where we process your data for direct marketing, you have an unconditional right to object at any time and we will stop processing for that purpose without requiring justification.
- Right to withdraw consent (Art. 7) — where processing is based
on your consent; withdrawal does not affect the lawfulness of processing before withdrawal.
- Right to lodge a complaint (Art. 77) — with the Polish
supervisory authority (Urząd Ochrony Danych Osobowych, UODO, ul. Stawki 2, 00-193 Warsaw, https://uodo.gov.pl) or with the supervisory authority of your habitual residence.
We do not require a specific form for these requests. We may ask for information needed to verify your identity before acting on a request, to make sure we are not disclosing your data to someone else.
11. Security
We apply technical and organisational measures appropriate to the risk, including:
- TLS for data in transit
- Encryption at rest where supported by the underlying storage
- Access controls and least-privilege principles on production systems
- Secrets management for credentials and API keys
- Logging and monitoring for unauthorised access attempts
- Regular review of sub-processor security posture
No system is perfectly secure. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours of becoming aware, and notify you without undue delay where the breach is likely to result in a high risk to you, as required by GDPR Articles 33 and 34.
12. Children
Our service is not directed at children. We do not knowingly process data from individuals under the age of 16 without parental consent where required by national law. If you believe a child has provided personal data to us, contact us at privacy@searchpresence.app and we will delete it.
13. Changes to This Policy
We may update this policy from time to time. We will publish the updated version at this URL with a new "Last updated" date. For material changes, we will give reasonable advance notice via the website or, where we have your email, by email.
Older versions are available on request.
14. Contact
For any privacy question or to exercise a right under this policy:
- Email: privacy@searchpresence.app
- Postal: Dominik Iwoła, Kabaczkowa 2/2, 52-311 Wrocław, Poland
15. Supervisory Authority
You have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement. The Polish authority is:
Urząd Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warsaw, Poland https://uodo.gov.pl